Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Maldoc: Once More It's XOR - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Maldoc: Once More It's XOR

I was asked for help with malicious Word document MD5 7ea8e50ce884dab89a13803ccebea26e.

Like always, I first run oledump.py on a sample:

As expected, it contains VBA macros. Then I quickly look at the source code of the VBA code in all macro streams (options -s a -v):

I noticed a string that looks like BASE64 at the end of the VBA source code (that's why I used a tail command in this screenshot). Checking with my tool base64dump.py confirms that this is indeed BASE64:

The output confirms that it is BASE64, although I don't recognize the binary data (most bytes are not printable characters).

The string is BASE64, and function gFpVdtRecxaZD is most likely a BASE64 decoder function. The return value of this function is used as first argument to function MOMCqdxBOimtoI. Function MOMCqdxBOimtoI takes 2 arguments, the second argument is a printable string.

I've seen this often before, MOMCqdxBOimtoI is most likely a decoding function, and the second string is the decoding key.

What encoding function? First I try XOR encoding, because it's popular. With my tool cipher-tool.py I check what the result is of XORing the decoded BASE64 string with the key:

I get a readable, known string: MSXML2.XMLHTTP. This confirms that the encoding is indeed XOR and that the second argument is the key.

Grepping for string MOMCqdxBOimtoI shows me all the lines with encoded strings:

I check the longest string first, because that's most likely the URL:

This analysis can also be automated with plugins.

My oledump plugin plugin_http_heuristics was not able to decode the URL of this sample, until I made a small change:

I'll explain the changes to this plugin in the next diary entry.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

 DidierStevens

346 Posts
ISC Handler
Reply Subscribe Oct 13th 2018
6 months ago
Do current versions of Word disable support for .DOC by default yet? It would seem to be a good idea. But they also open it in a kind of sandbox, IIRC. So what versions of Word are vulnerable to this and are they in default configuration?
 Larry Seltzer

24 Posts
Reply Quote Oct 14th 2018
6 months ago
And it would seem that WebSense/Triton hasn't seen it either. It's "uncategorized" as of now as well.
 CBob

21 Posts
Reply Quote Oct 15th 2018
6 months ago
No, .doc is fully supported.
 DidierStevens

346 Posts
ISC Handler
Reply Quote Oct 16th 2018
6 months ago

Sign Up for Free or Log In to start participating in the conversation!